Welcome to latest edition of Cyber_Bytes, our bi-weekly roundup of key developments in cyber, tech and evolving risks.

Underwood v Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust [2022] EWHC 888 (QB)

This case concerns a claim against a pregnancy support company (Bounty), which had been granted access by the Hampshire Hospitals NHS Foundation Trust (the Trust) to new mothers on its maternity ward. Bounty was found to be in breach of the Data Protection Act 1998 when the company's representatives unlawfully inspected personal information about a mother and her new born child from documentation held at the mother's bedside. However, the Trust itself was not considered by the Court to have breached its statutory duties under the Data Protection Act 1998, nor was it found to be liable for misuse of private information. Bounty, not the Trust, was the relevant controller for this unauthorised processing of data and had breached its contractual duties in the process.

This High Court decision emphasises that a data controller is not liable for the actions of a third party gaining unauthorised access to personal data in circumstances where it was reasonable and appropriate for that data not to be strictly withheld. Whether a data controller has taken " appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data " is fact sensitive and requires a sensible accommodation of these various rights and interests.

The High Court also dismissed a claim for misuse of private information. The fact that Bounty was permitted by the Trust to have access to the Claimant (a new mother) was not an act sufficient to engage the tort, particularly since the data obtained by the mother's bedside had been obtained without the Trust's consent or knowledge. In any event, a person's name, gender and date of birth (even that of a new born infant) was not information of a nature which surpassed the threshold of seriousness required to be actionable for misuse of private information, especially given the regular exposure of such information in data breaches.

Click here to read the full judgment on Bailii.org

Over 42 million people in the UK had financial data compromised

The UK is a prime example of how compromised systems can have a potential economic impact as the number of cyberattacks grows. A publication from RPC commented on the fact that in the last year financial information belonging to approximately 42.2m people in the UK had been subject to compromise. This is a massive increase when compared to the 2019-2020 figure which saw 2.2m individuals being subject to a data compromise.

Richard Breavington - Partner and Head of Cyber & Tech Insurance at RPC - states that the sharp rise in the number of people whose financial data was impacted in the last year demonstrates that cyber-attacks have become endemic, with hackers continually refining their methods and evolving their tactics.

Impacted organisations' financial costs can be dramatic and include the cost of business interruption as well as costs required for the legal and regulatory ramifications of the data breach.

Increasing numbers of cyberattacks will inevitably affect consumers' confidence over the security of their personal data. It is therefore important for businesses to take precautions when processing and storing personal data. This includes implementing a safe data storage system and investing in robust IT security software.

Click here to read Tech Republic's coverage of this story.

European Commission proposes new cyber security regulations In March 2022, two new regulations establishing common cyber and information security measures across the bloc were proposed by the European Commission (EC). Their objective is to bolster resilience and response capacity against cyber threats in the context of the COVID-19 pandemic and growing geopolitical tensions.

In January, the World Economic Forum (WEF) published a report that established cyber security threats, such as ransomware and nation-state-backed attacks, to rank among the most prolific risks currently faced internationally.

The proposed cybersecurity regulations will require all EC institutions, bodies, offices and agencies to have cyber security frameworks in place to support and strengthen governance, risk management and control.

Certain organisations within the EC will also be obliged to conduct regular maturity assessments, implement improvement plans and promptly share any data relating to cyber incidents with the Computer Emergency Response Team (CERT-EU).

In parallel with this, the UK is also looking to evolve its data legislation, with a series of updates expected to affect the 2018 Network and Information Systems (NIS) Regulations. In particular, the scope of the Regulations will widen to include managed service providers (MSPs) and providers of specialised online and digital services.

Click here to read Computer Weekly's coverage of the story.

Businesses urged to boost cyber standards as new data reveals nearly a third of firms suffering cyberattacks hit every week As more and more business is transacted online, it is becoming increasingly vital for organisations to take cybersecurity seriously to minimise the risk of attacks. Following a wave of high-profile attacks over the past year, including on Colonial Pipeline and Microsoft Exchange, there has been increased attention on the cybersecurity of supply chains and digital services.

Organisations are being urged to strengthen their cybersecurity practices as new figures show that the frequency of cyberattacks increasing. Around a quarter to a third of businesses and charities are stating that they experience breaches at least once a week. Although the Cyber Security Breaches Survey 2022 report from the Department for Digital, Culture, Media and Sport (DCMS) (click here to review this paper) revealed the frequency of cyberattacks is rising, the number of businesses which experienced an attack or breach remained on a par to 2021 levels. The report found that a large proportion of businesses see cybersecurity as a high priority, a significant increase on previous years. However, only around a third of businesses was using at least one managed service provider and only 13% of businesses reviewed the risks posed by immediate suppliers.

The National Cyber Security Centre (NCSC) has issued guidance around steps which can be taken to reduce the risk of falling victim to an attack, although it is not aware of any current specific cyber threats to UK organisations in relation to events around Ukraine. The government is also aiming to strengthen critical businesses’ cyber resilience by investing in cyber skills, expanding the country’s offensive and defensive cyber capabilities, and prioritising cyber security in the workplace, boardrooms and digital supply chains. It aims to ensure that legislation remains effective and keeps pace with technology.

Click here to read the UK Government's coverage of the story.

U.S. warns newly discovered malware could sabotage energy plants Earlier this month, U.S. officials announced the discovery of a sophisticated system for attacking industrial facilities dubbed "Pipedream" by Dragos Inc, industrial control security experts. The system is believed to be Russian and can manipulate equipment found in virtually all complex industrial plants.

The software is intended to take advantage of longstanding weaknesses present in control systems, such as the standard industry requirements for compatibility leading to the unencrypted flow of data between various types of equipment.

Investigators have stated that essentially almost any plant can fall victim, and that it will likely be months or years before any strong defences can be developed.

The National Security Agency, the Energy Department, the Cybersecurity and Infrastructure Security Agency and the FBI issued a joint warning notice reporting the system’s discovery. Liquefied natural gas plants are believed to be the primary target given the type of equipment that would typically be utilised in such facilities.

Click here to read The Washington Post's coverage of the story.